A Directory Service is a software application that stores and organizes information about the network

users and resources. The Directory Service allows the network administrators to manage the user’s
access to the resources. The Directory acts as a central point of control and management of the network
operating system.
Main advantages of Directory Services are
Directory Services help in Simplifying management: By acting as a single point of management, a
directory can ease the administrative tasks associated with complex networks.
Directory Services provide higher level of security. Directories offer a single logon facility and they
provide more secure authentication process.
Directory Services allow interoperability: Most of Directory Services available today are based upon
industry standards like X.500, Lightweight Directory Access Protocol (LDAP) etc. This allows sharing
of resources in a heterogeneous environment.
Directory Services software application store data in its own database. Following are the important data
which are kept in Directory Services database.
• User Account Information (Login name, Password, Restrictions).
• User Personal Information (Phone number, Address, Employee ID).
• Peripheral Configuration Information (Printers, Modem, Fax).
• Application Configuration (Desktop Preference, Default Directories).
• Security Information.
• Network Structure.
• Network Infrastructure Configuration.

International Telecommunication Union (ITU) and International Organization of Standardization (ISO)

proposed X.500 standard in 1988.
X.500 was a very good Directory Standard and provided a lot of new functionality and security. The
problem with X.500 was it was difficult to implement. The X.500 Directory Access Protocol (DAP)
was too complex and was using OSI network protocol instead of TCP/IP.
Lightweight Directory Access Protocol (LDAP) was developed after X.500 and LDAP was based on
X.500. Since Lightweight Directory Access Protocol (LDAP) was originated from X.500, the structure
of X.500 and Lightweight Directory Access Protocol (LDAP) directories are almost similar. LDAP
directory implementations are often also X.500 compliant.
The first version of the Lightweight Directory Access Protocol (LDAP) was released in 1993 as RFC
1487 and it was not successful because of the absence of many features provided by X.500. The
University of Michigan scientists released the first LDAP directory server, as RFC 1777 (LDAPV2) in
1995 and it became the basis for many future directory servers. LDAP version 3 (v3) is defined by nine
RFC documents. RFC’s 2251 through 2256 give the core details, and were later followed by RFC 2829,
2830 and 3377. All these RFC’s together known as LDAPV3. LDAPV3 was released on December
1997.

What is Active Directory?

Active Directory® is the Microsoft's implementation of Directory Services its purpose is to store
information about users, resources, and other network components, and to provide that information
according to access permissions of the entity who is requesting it.
Active Directory (AD) is meant for use in Microsoft Windows network environments and it provides
central authentication and authorization services for Windows-based computers.
Active Directory uses Lightweight Directory Access Protocol (LDAP), which is derived from X.500
data model. Hence Active Directory is X.500 compliant.
The Directory Service should provide an efficient way to manage, find and access all the resources
(computers, users, printers etc) in the network. The following are the features which should be provided
by a good Directory Service implementation. Microsoft’s Directory implementation (Active
Directory®) addresses all these issues.
Centralization: Active Directory is centralized directory implementation providing a single database of
network resources.
Scalability: Active Directory allows its database to be partitioned and distributed across the domains
that make the network. But still Active Directory can be managed as a single directory.
Standardization: Active Directory is standardized because it is made accessible through Lightweight
Directory Access Protocol (LDAP), which is an IETF standard.
Extensible: Active Directory is extensible. It allows third-party developers to store the information of
their own application inside Active Directory and make use of the features provided by the Active
Directory.
Separation of physical network: Active Directory makes the physical structure of the network
transparent and only the local structure is visible to the users.
Security: Active Directory is tightly integrated with the Windows 2003 server security and the major
security protocols make it more secure.
Domain Name System (DNS) support: The Active Directory supports Domain Name System (DNS)
and Active Directory requires DNS to function properly.
TCP/IP compatibility: Active Directory and Windows Server 2003 utilize the TCP/IP protocol stack as
their primary method of communications.

Active Directory files and their functions

Ntds.dit
Ntds.dit is the main AD database file. NTDS stands for NT Directory Services. The DIT stands for
Directory Information Tree. The Ntds.dit file on a particular domain controller contains all naming
contexts hosted by that domain controller, including the Configuration and Schema naming contexts. A
Global Catalog server stores the partial naming context replicas in the Ntds.dit right along with the full
Domain naming context for its domain.

Edb.log
Edb.log is a transaction log. Any changes made to objects in Active Directory are first saved to a
transaction log. During non-peak times in CPU activity, the database engine commits the transactions
into the main Ntds.dit database. This ensures that the database can be recovered in the event of a
system crash. Entries that have not been committed to Ntds.dit are kept in memory to improve
performance. Transaction log files used by the ESE (Extensible Storage Engine is an Indexed
Sequential Access Method (ISAM) data storage technology from Microsoft. ESE is the core of
Microsoft Exchange Server and Active Directory.) engine are always 10MB.

Edbxxxxx.log
These are auxiliary transaction logs used to store changes if the main Edb.log file gets full before it can
be flushed to Ntds.dit. The xxxxx stands for a sequential number in hex. When the Edb.log file fills up,
an Edbtemp.log file is opened. The original Edb.log file is renamed to Edb00001.log, and Edbtemp.log
is renamed to Edb.log file, and the process starts over again. Excess log files are deleted after they have
been committed. You may see more than one Edbxxxxx.log file if a busy domain controller has many
updates pending.

Edb.chk
Edb.chk is a checkpoint file. It is used by the transaction logging system to mark the point at which
updates are transferred from the log files to Ntds.dit. As transactions are committed, the checkpoint
moves forward in the Edb.chk file. If the system terminates abnormally, the pointer tells the system
how far along a given set of commits had progressed before the termination.

Res1.log and Res2.log

Res1.log and Res2.log are reserve log files. If the hard drive fills to capacity just as the system is
attempting to create an Edbxxxxx.log file, the space reserved by the Res log files is used. The system
then puts a dire warning on the screen prompting you to take action to free up disk space quickly before
Active Directory gets corrupted. You should never let a volume containing Active Directory files get
even close to being full. File fragmentation is a big performance thief, and fragmentation increases
exponentially as free space diminishes. Also, you may run into problems as you run out of drive space
with online database defragmentation (compaction). This can cause Active Directory to stop working if
the indexes cannot be rebuilt.

Temp.edb
This is a scratch pad used to store information about in-progress transactions and to hold pages pulled
out of Ntds.dit during compaction.

Schema.ini
This file is used to initialize the Ntds.dit during the initial promotion of a domain controller. It is not
used after that has been accomplished.

What is Active Directory Naming Context or Directory Partition

All of the objects in the Active Directory forest are represented in the Directory Tree. A Directory Tree
is a hierarchy of objects and containers in a directory that can be viewed graphically as an upside-down
tree, with the root object at the top. A tree shows how objects are connected in terms of the path from
one object to another.
The Directory Tree of Active Directory tree is partitioned to allow sections to be distributed (replicated)
to domain controllers in different domains within the forest. Each domain controller stores a copy of a
specific part of the directory tree, called a “Naming Context” also know as Directory Partition.
“Naming Context” is replicated as a unit to other domain controllers in the forest that contain a replica
of the same sub tree. A “Naming Context” is also called a Directory Partition.
In Active Directory, a single server always holds at least three naming contexts:

Schema Naming Context

Schema Naming Context contains definitions of objects that can be created in the forest and the
attributes those objects can have. Objects in the schema partition must be replicated to all domain
controllers in all domains in the forest.

Configuration Naming Context

Configuration Naming Context contains objects that represent the logical structure of the forest,
including the domain structure and replication topology. Objects in the configuration partition must be
replicated to all domain controllers in all domains in the forest.

Domain Naming Context

Domain Naming Context contains all of the objects stored in a domain. Objects in the domain partition
can be replicated only to domain controllers within the domain.
What is Active Directory Replication?
Windows 2003 Active Directory has a distributed directory structure and stores objects (users,
computers, printers etc). Objects which are stored in Active Directory are distributed different domain
controllers in a forest. Active Directory replication is the process by which the changes that originate
on one domain controller are automatically transferred to other domain controllers in the forest.
Replication is a necessary factor in Active Directory to ensure
Fault tolerance: If one domain controller fails, the Active Directory database is still available from
other domain controllers, which store the same information.
Load balancing: When many workstations are accessing Active Directory, the information they are
requesting is retrieved faster when there is more than one domain controller to provide it.
Proximity of information: Workstations get the information from a local domain controller instead of
across a slow WAN link.
Replication process ensures that changes made to a replica on one domain controller are synchronized
to replicas on all other domain controllers within the domain.
The following actions trigger replication between domain controllers:
• Creating an object (When adding a user or a computer)
• Modifying an object
• Moving an object
• Deleting an object
You can use several different methods to force replication.
• Using the Active Directory Sites and Services MMC snap-in (Dssite.msc)
• Using Repadmin
• Using Replmon
• Using a script
There are two types of Active Directory Replication.
1) Intrasite (Replication within a site)
2) Intersite (Replication between sites).
The following table compares Intrasite and Intersite replication.

Function Intrasite Replication Intersite Replication

To save WAN bandwidth,

To save CPU time,
replication data greater
Compression replication data is not
than 50 kilobytes (KB) is
compressed.
compressed.
 To reduce replication
To save WAN bandwidth,
latency, replication partners
replication partners do not
notify each other when
Replication model notify each other when
changes need to be
changes need to be
replicated and then pull the
replicated.
information for processing.

Replication partners poll

each other at specified
intervals, only during
Replication partners poll scheduled periods. If
Replication frequency
each other periodically. updates are necessary,
operations are scheduled to
pull the information for
processing.

Remote procedure call IP or Simple Mail Transport

Transport protocols
(RPC). Protocol (SMTP).

Introduction to Active Directory Sites and what is Active

Directory site?

An Active Directory site is a physical subnet that is connected using a reliable, high-bandwidth
connection. An Active Directory site structure represents the physical structure of your network and
is separate from the logical structure of the network, which is represented by forests, domains, and
organizational units. Sites are used to designate replication boundaries and isolate logon
authentication traffic between physical network locations.

A single Active Directory site can contain resources from different Active Directory domains, and a
single Active Directory domain can exist across different Active Directory sites.

You should create additional Active Directory sites to control Active Directory replication traffic and
to isolate logon traffic.

Remember, an Active Directory site is connected using reliable, high-bandwidth connection. Each
site should have at least one Active Directory Domain Controller and one Global Catalog, to avoid
using low bandwidth WAN connection for Active Directory replication traffic and to isolate logon
traffic.

Each Active Directory site should have at least one DNS server and one DHCP server for name
resolution and to assign automatic IP setting to computers.
How to create an Active Directory site
Active Directory Sites can be created using the Active Directory Sites and Services snap-in (Start >
Programs > Administrative Tools > Active Directory Sites and Services). Windows Server 2003 creates
the first site automatically when AD is installed. The default name of the first site is "Default-First-Site-
Name" and includes all the domain controllers. It is possible to rename the default site, but it should
never be deleted. Additional sites must be created manually.
Right Click Sites and select "New Site" from the popup menu.

The "New Object-Site" dialog box allows you to enter the name of the new Active Directory site and to
select the site link for the new site. Windows Server 2003 creates a default site link called
DEFAULTIPSITELINK that can be used to establish the replication process of the Active Directory
service. This default site link uses RPC over TCP/IP, and it will use any available route to the remote
site for replication.

After the new Active Directory site is created, you need to complete some other tasks also and
Windows 2003 will show you these tasks in the dialog box.
• Add required IP subnets to the new site.
• Install a new Active Directory Domain Controller, or move an existing Active Directory Domain
Controller to the new site (Although a domain controller is not mandatory for a site, it is strongly
recommended for obvious reasons).
• Connect the site to other existing Active Directory sites within the forest with the appropriate site
link.
• Configure a licensing server within the site.
How to create and configure subnets for Active Directory Sites
A subnet is a portion of the IP space of a network. Subnets are described by their IP network address
combined with a subnet mask measured in bits. Click the following links and the to learn more about IP
V4 addresses, and Class C Subnetting Tutorials.
The subnet objects in Active Directory are the logical representation of the subnets in your physical
network environment.
Subnet information is used to find Domain Controller in the same site and Active Directory replication
to determine the best routes between domain controllers.
Subnets must be defined in Active Directory to ensure accurate and efficient directory replication and
resource usage.
To create a new subnet, right click the subnets folder and select "New Subnet" from the popup menu.

In the New Object - Subnet dialog box shown below, type the subnet address and the subnet mask that
may be used in this site's subnet. Choose a site to associate this subnet (In this example, I have selected
"Chennai" site), and then click OK. Note that the CIDR notation of the address is also displayed in the
dialog box.
To create another subnet object, again right click the subnets folder and select "New Subnet" from the
popup menu.

In the New Object - Subnet dialog box shown below, type the new subnet address and the subnet mask
that may be used in next site's subnet. Choose another site to associate this subnet (In this example, I
have selected "Bangalore" site), and then click OK.
Now you can see the two subnets we have created in this excercise and their associated sites displayed
in the "Active Directory Sites and Services snap-in"

What is Active Directory Site link?

An Active Directory site is a physical subnet that is connected using a high-speed connection. Active
directory sites are connected using site links, which are low-bandwidth, unreliable connections.
Windows 2003 creates one default site link “DEFAULTIPSITELINK”, , which can be used for a site-
to-site connection between two sites. “DEFAULTIPSITELINK” can be renamed in the Active
Directory Sites and Services snap-in . Administrator can create additional site links using the Active
Directory Sites and Services snap-in.
Since site links are used over low-bandwidth WAN links, the primary consideration when configuring
site links should be is bandwidth usage. By default, replication is scheduled to occur over the site link
24 hours a day, 7 days a week, at an interval of 180 minutes. If you have limited bandwidth, you should
consider altering this.
When multiple links are configured between sites, priority of each link should be considered. You
should assign priority of link based on availability and reliability of the connection. The default link
cost is 100, and if many links to a site, the link with the lowest cost is used first.
You can use any of two transport protocols with site links.
Directory Service Remote Procedure Call (DS-RPC)
DS-RPC can be used when there is a live, reliable connection between two or more domain controllers
in different sites. IP site links communicate synchronously, meaning each replication transaction must
complete before another can start. By default, intersite IP replication adheres to replication schedules
and does not require a certificate authority (CA).

Inter-Site Messaging Simple Mail Transport Protocol (ISM-SMTP)

SMTP replication can be used when the network connections are unreliable. SMTP site links
communicate asynchronously, which means each replication transaction does not need to complete
before another can start. Schedules are not available for SMTP replication and requires CA to sign
SMTP messages for the authenticity of directory updates.

Important Notes to remember

• Intrasite replication always uses RPC over IP.
• Intersite replication can use either RPC over IP or SMTP.
• Intersite replication using SMTP is supported only for domain controllers in different domains.
Domain controllers in the same domain must replicate using RPC over IP

How to create Active Directory Site Link

To create a new Site Link, follow these steps.
• Open "Active Directory Sites And Services" snap-in (Start > Programs > Administrative Toole >
Active Directory Sites And Services).
• Open the Inter-Site Transports folder and right-click either the IP or SMTP folder Right Click and
select "New Site Link" from the popup menu.

• In the “New Object - Site Link” dialog box, type the name for the site link in the Name field.
• In the “Sites Not in This Site Link” box, click two or more sites to connect, and then click Add. Click
OK.
The new Active Directory site link creates is listed in the Active Directory Sites and Services snap-in.
How to configure Site Link attributes
You should configure the site link's properties after you create a site link. Configuring a Site link allows
you to specify the link cost, replication schedule, and replication interval. An Active Directory Site
Link's property can be configured as explained below.
In "Active Directory Sites And Services" snap-in, site links are added to either IP or SMTP folder under
Inter-Site Transports. Select the protocol folder (Either IP or SMTP) by clicking the folder, right click
the Site Link which you want to configure and select "Properties" from the pop-up menu.

The Properties dialog box of "Chn-Blore" Site Link will be displayed, as shown below.

In the above dialog box, you can configure two important properties related to site link, Link Cost and
Site Link replication frequency, as explained below.

Configuring Site link Cost

Site Link Cost is a value assigned to the site link that indicates the cost of the connection in relation to
the speed of the link. Higher costs are used for slow links, and lower costs are used for fast links. If you
have a high speed connection, configure a lower cost value and if you have a low speed connection,
configure a high cost value. Active Directory uses a low cost connection is whenever possible.

Configuring Site Link Replication Frequency

Site Link Replication Frequency configuration value is used to instruct Active Directory how many
minutes of interval it should check for replication updates. The replication interval minimum value
should be atleast 15 and maximum is 10,080 minutes (One week).
Click the "Change Schedule" button in the Site Link properties dialog shown above to configure the
time when this site link is or is not available to replicate directory information. Click "OK" button to
complete.

What is bridgehead server , preferred bridgehead server and

Knowledge Consistency Checker (KCC)?
The replication topology in Active Directory generated automatically by a service known as the
Knowledge Consistency Checker (KCC). Knowledge Consistency Checker (KCC) helps to keep same
database information across all domain controllers. Knowledge Consistency Checker (KCC) ensures
that replication can always take place between Active Directory Domain Controllers.
When two sites are connected by a Site Link, the Knowledge Consistency Checker (KCC)
automatically selects one bridgehead server in each site for each domain that has Domain Controllers in
the site. The data which needed to be replicated is first sent to the bridgehead server of a site and then is
replicated from bridgehead server to the other domain controllers inside that site.
A Preferred Bridgehead Server is a Domain Controller in a site, specified by an administrator, to act as
a Bridgehead Server. More than one preferred Bridgehead Server can be specified, but only one server
is active at a time in a site. A preferred bridgehead server should be a Domain Controller with high-
bandwidth connection to transmit and receive information. If there is only one preferred bridgehead
server is configured in a site there will not be any replication if that server is not available.
A preferred Bridgehead Server can be designated by the following steps.
• In the “Active Directory Sites And Services” console tree, click the site that contains the Domain
Controller which is going to be a preferred bridgehead server. Right click the Domain Controller and
select the Properties from the popup menu.

• Select the intersite transport or transports for which this computer will be a preferred bridgehead
server. Click Add, and then click OK.

What is Site Link Bridge and How to create Site Link Bridge
A site link bridge connects two or more site links. A site link bridge enables transitivity between site
links. Each site link in a bridge must have a site in common with another site link in the bridge.
By default, all site links are transitive and it is recommended to keep transitivity enabled by not
changing the default value of "Bridge all site links" (enabled by default).
We may need to disable "Bridge all site links" and create a site link bridge design if
• When the IP network is not fully routed.
• When we need to control the replication flow in Active Directory.
To create a site link bridge, follow these steps
• Open Active Directory Sites And Services.

• Open the "Inter-Site Transports folder" and right-click either the IP or SMTP folder, and then click
New Site Link Bridge.

• Type a name for the site link bridge and select the site links to be added to this site link bridge.
What is Active Directory Global Catalog
The Active Directory Global Catalog is the central storage of information about objects in an Active
Directory forest. A Global Catalog is created automatically on the first domain controller in the first
domain in the forest. The Domain Controller which is hosting the Global Catalog is known as a Global
Catalog Server. A Global Catalog server stores a full copy of all objects in the directory for its host
domain and a partial copy of all objects for all other domains in the forest. Global Catalog helps in
searching Active Directory objects in the foreset more efficiently.
The Active Directory Global Catalog is responsible for several other important functions of the Active
Directory, such as the following:
• Logon validation of universal group membership
• User Principal Name (UPN) logon validation through DC location
• Search capabilities for every object within an entire forest
The function of a Global Catalog can be compared with a telephone directory. Global Catalog stores
information like a telephone directory that users can perform queries against to find specific
information.
When you create the Active Directory forest, by default the first Domain Controller will serve as the
Global Catalog Server, but we can designate any Domain Controller as the Global Catalog Server.
To configure a Domain Controller as Global Catalog Server, follow these steps.
• Open Active Directory Sites and Services (Start > Programs > Administrative Tools > Active
Directory Sites and Services).
• Select the Sites branch.
• Select the site that owns the server, and expand the Servers branch.
• Expand the Domain Controller by double clicking on it.
• Right click the “NTDS Settings” and select properties from the popup menu.

If you want to assign this Domain Controller as the Global Catalog, check the checkbox "Global
Catalog" in "NTDS Settings Properties" dialog box.

What is Universal Group Membership caching

If you have sites separated by slow or unreliable WAN links, the practice is to place a GC server at each
local site, but this can increase the replication traffic. If the domain is operating at the Windows Server
2003 functional level, we can deploy domain controllers, which can store universal group membership
information locally.
Universal Group Membership Caching is most practical for smaller branch offices with low capacity
servers, which cannot handle additional load of hosting a GC, or locations that have extremely slow
WAN connections.
When a user attempts to log on for the first time, the Domain Controller obtains the universal group
membership for that user from a Global Catalog. This information is cached on the Domain Controller
for that site indefinitely and is periodically refreshed in every 8 hours. Up to 500 universal group
memberships can be updated at once.
The benefits of Universal Group Membership Caching are
• Faster logon times.
• Hardware upgradation to support Global Catalog is not required
• Low network bandwidth consumption.

How to configure Universal Group Membership caching

To enable Universal Group Membership Caching follow these steps.
• Open Active Directory Sites and Services (dssite.msc).
• Click the site to enable universal group membership caching.
• Right click NTDS Site Settings and then click Properties from the details pane.

• Select Enable Universal Group Membership Caching check box.

• In Refresh cache from, click a site from which this site will refresh its cache, or accept <Default> to
refresh the cache from the nearest site that has a global catalog.
Operations Master Roles (Flexible Single Master Operations -
FSMO)
Operations master roles (also known as flexible single master operations, or FSMO) are special roles
assigned to one or more domain controllers in an Active Directory domain.
Active Directory supports multi-master replication of the directory data store between all domain
controllers in the domain. Hence all domain controllers in a domain are considered essentially peers.
But, replication conflicts do occur during Active Directory replication. Some operations that occur on a
Windows Server 2003 Active Directory could be harmful if conflicts were to occur. In the case of these
operations, Windows 2003 reverts to using a single-master model. This means that a single Domain
Controller on the network takes responsibility for performing a specific task and these Domain
Controllers are called as the Operations Master.
There are five Operation Master Roles and two of them are Forest level roles and three of them are
Domain Level roles. Following table lists the Operation Master Roles and their scope.

Operations Master Scope

 Schema Master Forest wide

Domain Naming Master Forest wide

Primary Domain Controller (PDC)

Domain wide
Emulator

Relative Identifier (RID) Master Domain wide

Infrastructure Master Domain wide

Schema Master
Active Directory schema defines what can exist within the directory. Managing the process of updating
it with new objects and attributes should be a closely monitored process. There is only a single
read/write copy of the schema on your Windows Server 2003 network, stored on the Schema Master.
The domain controller assigned the schema master role controls all updates and modifications to the
schema. To update the schema of a forest, you must have access to the schema master.
There only a single Schema Master in the entire forest at any time.

Domain Naming Master

All objects within AD must be unique. We cannot create two objects in a container with the same name,
and the distinguished names all of all objects must be unique. Domain Naming Master ensures that new
domains added to your Windows Server 2003 forest have unique names.
There only a single Domain Naming Master in the entire forest at any time.

PDC (Primary Domain Controller) Emulator

The PDC emulator services network clients that do not have Active Directory client software installed,
and it replicates directory changes to any Microsoft Windows NT backup domain controllers (BDCs) in
the domain.
Even the domain is operating at Windows 2003 functional level, PDC Emulator is required to perform
certain tasks.
The PDC emulator receives preferential replication of password changes performed by other domain
controllers in the domain.
If a password was recently changed, that change takes time to replicate to every domain controller in
the domain. If a logon authentication fails at another domain controller due to a bad password, that
domain controller forwards the authentication request to the PDC emulator before rejecting the logon
attempt.
There is only a single PDC Emulator per domain.

Relative ID (RID) Master

A Security Principal is an Active Directory object that can be assigned permissions within a Windows
Server 2003 network. Examples for Security Principal objects are users, groups, and computers. Each
Security Principal is assigned a Security Identifier (SID) so it can be identified.
A Security Identifier (SID) is made up of two components. The first component, the domain SID, is
common to all security principals in a domain. The uniqueness in SID comes from the addition of a
second number, the Relative Identifier (RID). The RID is assigned from a pool of RIDs stored at each
Domain Controller. The RIDs in this pool are assigned to each Domain Controller by the RID Master.
The format of SID follows this pattern: S-R-IA-SA-SA-RID.
• S represents a SID identifier.
• R represents the Revision. All SIDs generated by Windows use a revision level of 1.
• IA represents the issuing authority.
• SA represents a sub-authority, and
• RID is the Relative ID
A typical user SID looks like this: S-1-5-21-1683771067-1221355100-624655392-1001.
RIDs are assigned to each DC in blocks of 500 RIDs. When the block of RIDs is exhausted, the DC
requests another block from the RID Master. To ensure uniqueness, the RID Master keeps track of
which RID blocks have been assigned.
If the RID pool on a DC is exhausted and the RID Master is not available, you will not be able to create
Security Principals (Example: a user) on that server.
There is only a single RID Master per domain.

Infrastructure Master
The domain controller assigned the infrastructure master role is responsible for updating the group-to-
user references whenever the members of groups are renamed or changed.
There is a single Infrastructure Master per domain.